Oktopost and GDPR

Background

In 2016 the European Union's (EU) approved and adopted a new data protection framework, the General Data Protection Regulation (GDPR), which will come into effect On May 25th, 2018. It is the most significant piece of data protection legislation to date and will impact any organization that processes personal data in connection with goods/services offered to an EU resident or monitors the behavior of persons within the EU. The GDPR strengthens individuals' privacy rights through tighter limits processing of their personal data, significantly expanding their rights over their data, and providing increased transparency into the nature, purpose, and use of it.

We understand that data protection is important to our customers. As an Israeli company, we are already subject to data protection laws and standards similar to those defined by the EU, and we are well aware of the need for to provide our EU customers with the ability to meet the new requirements as directed by the EU prior to May 2018.

As part of the preparation for the new regulations, we have reviewed our privacy and data protection policies to ensure that they adhere to the GDPR standard, and we will work with our customers in their role as data controllers, to become accustomed to the regulations. We can confirm that Oktopost has been preparing for the GDPR to begin following its standards by May 2018. Oktopost understands the importance GDPR holds regarding our customers, and want to offer the appropriate service.

Oktopost's Commitment to Data Protection and GDPR Compliance

As part of our effort to stay at the forefront of social media marketing, we understand that customer engagement plays a significant role in today’s marketing ecosystem and the importance of putting privacy and data protection in the hands of the data subject. As with other data protection laws, GDPR compliance requires commitment from both Oktopost and our customers. Oktopost will be compliant with the GDPR prior to the regulation coming into effect. We have carefully examined the relevant provisions of the GDPR and we are closely tracking applicable GDPR guidance issued by regulatory authorities. These steps are helping us to develop tools for our customers relevant to the GDPR-compliant use of Oktopost's services.

How Does The GDPR Apply to Oktopost And Our Customers?

Oktopost is a social media management platform that enables its customers to engage audiences, measure results, and amplify reach on social media. Because the content on social media is user-generated, it may at any time contain personal data if users of social media decide to share such information. As a result, the GDPR will apply differently to both Oktopost and its customers.

Following previous regulations, the GDPR differentiates between organizations that are “data controllers” and “data processors”. Based on the EU definitions, Oktopost is considered a data processor of content generated, requested or published through our support platforms, following customer instructions through our platform. This emphasizes that our customers are in control of how their data is collected, and therefore, legally, they are data controllers of the content found on our platform. More information about the data collected by us and our customers is found in our Privacy Policy.

What is Oktopost Doing to Prepare For The GDPR?

Oktopost appreciates the security and privacy that the GDPR offers, and acknowledges that it will strengthen and improve the safeguards already in place before May 2018. From our understanding, the regulations require us to work in partnership with our customers, through the use of our service to ensure a strong bond with our customers, and we feel that the new regulations will strengthen these bonds through the choice of using of our services.

Oktopost can verify that we are working towards preparing for the GDPR in order to ensure that our customers and services are following the specified regulations. We have been taking a closer look at each of our product and service offerings, making sure each section is GDPR approved, such as:

Working side-by-side with our external counsel to ensure that the regulations are followed

Performing an organizational review of all personal data processing within the company, focusing on GDPR alignment

Thorough reviews of all technical and organizational processes, ensuring our teams all follow the new regulations

Oktopost is also in the process of preparing a new Data Processing Addendum (DPA) in light of the GDPR’s Article 28 on data processors. This GDPR DPA will be available to customers in the EEA in due course to help our customers prepare for May 2018.

What Organizational And Technical Safeguards Does Oktopost Already Provide to Help its Customers Comply With The GDPR?

Oktopost already maintains a continuous high bar for security and compliance which can be found on our Security and Customer Data Protection page and uses industry-leading organizational and technical measures to keep personal data secure. These include:

Administrative Controls

Access Controls

Encryption of Data

Strict Security Measures

Where Does Oktopost Process and Store Data

Oktopost processes and stores data on the Amazon Web Services ("AWS") servers that it licenses, which are located in the United States. AWS maintains that they have certified to the Privacy Shields and will be GDPR compliant as well. See https://aws.amazon.com/compliance/eu-data-protection/ for additional information.

Suggested Steps for GDPR Compliance

In order to prepare for the GDPR's new regulation, companies should take the following steps before May 25, 2018.

Thoroughly examine the regulations required under the GDPR

Delegate a GDPR compliance team, understand the requirement for a Data Protection Officer and emphasize their responsibility to accommodate to the new regulations

Understand how to handle data subjects’ rights request, and implement policies and procedures

Conduct an internal review of the processor and sub-processor agreements

Focus on recording personal data processing activities, and obtain the legal basis for each activity

If needed, update privacy and security policies to accommodate the new regulations, as well as the data breach notification protocols